When must an individual be notified of a breach in their PHI?

Under the HIPAA Breach Notification Rule, covered entities must provide notification to affected individuals without unreasonable delay and in no case later than 60 days following the discovery of a breach of unsecured PHI. According to HIPAA, covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates must notify individuals affected by a breach of their PHI. The breach notification must be provided without unreasonable delay and no later than 60 days following the discovery of the breach. The 60-day timeframe starts from the date the breach is discovered, rather than when it occurred. The deadline starts once the covered entity or business associate becomes aware of the breach, so prompt detection and investigation are required.

Notification StepDescription
Timing of NotificationCovered entities must provide notification of a breach without unreasonable delay and no later than 60 days after the discovery of the breach.
Content of NotificationThe notification should include a description of the breach, the types of information that were involved, steps individuals can take to protect themselves, what the entity is doing to investigate and mitigate the breach, and how to get further information.
Description of the BreachThis should include what happened, the date of the breach, and the date it was discovered, if known.
Types of Information InvolvedTypes of unsecured protected health information involved in the breach may include full name, Social Security number, date of birth, home address, account number, etc.
Protective Steps for IndividualsThe notification should suggest steps individuals should take to protect themselves from potential harm resulting from the breach.
Mitigation EffortsA brief description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent future breaches should be included.
Contact ProceduresThe notification should also include contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an email address, website, or postal address.
Notification to Secretary of HHSIf the breach involves more than 500 individuals, the entity must notify the Secretary of HHS and the media. If it involves fewer than 500 individuals, it must be reported to the Secretary of HHS annually.
Table: PHI Breach Notification Steps

In addition to the breach notification requirements outlined in the HIPAA laws, some state laws may impose more stringent requirements regarding the notification of breaches involving PHI. These state laws can vary and may include stricter timelines, additional reporting obligations, or specific content requirements for breach notifications.

To ensure compliance with breach notification requirements, covered entities and their business associates must be aware of and adhere to both HIPAA regulations and any applicable state laws, which implies regular HIPAA training. This involves understanding the specific requirements of the state(s) where individuals affected by the breach reside or where the breach occurred.

It is advisable to consult the relevant state laws and seek legal advice to determine the specific breach notification obligations imposed by state laws in order to ensure full compliance. Staying informed about both federal and state regulations will help covered entities and their business associates fulfill their responsibilities in notifying individuals affected by PHI breaches in a timely and comprehensive manner.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on https://twitter.com/defensorum and contact Emma at emmataylor@defensorum.com.